Discovered a CSRF (cross-site request forgery) vulnerability (CVE-2015-6378) in the Optus branded Cisco DPQ3925 8x4 DOCSIS 3.0 Wireless Residential Gateway with Embedded Digital Voice Adapter (EDVA), that allows an unauthenticated, remote attacker, to change settings in the device. This can be used for DNS hijacking, a type of malicious attack that overrides the routers DNS settings to point it at a rogue DNS server, thereby invalidating the default DNS settings of the LAN network.
The attacker first lures victims to a website containing the CSRF attack script... When someone lands on such a site, the browser sends a single HTTP request to the router with a malicious DNS server IP address, Once the malicious version replaces the current IP address, the infection is complete. After that, all traffic that passes through the compromised modem is redirected to the malicious DNS server IP address where the attackers can intercept any data they wish.
For example, if a user tries to access a legitimate banking site they could be redirected to a spoofed version of the site from where the attackers would be able to steal their credentials.